From 168e116a36423e46ab3c2bcf5aa7b34f46122a34 Mon Sep 17 00:00:00 2001
From: Damian Dabrowski <damian.dabrowski@cleura.com>
Date: Sat, 15 Apr 2023 00:06:00 +0200
Subject: [PATCH] Add TLS support to tacker backends

By overriding the variable `tacker_backend_ssl: True` HTTPS will
be enabled, disabling HTTP support on the tacker backend api.

The ansible-role-pki is used to generate the required TLS
certificates if this functionality is enabled.

Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/879085
Change-Id: Ib5dd3a2494bed81add670e331085294910d7f425
---
 defaults/main.yml        | 48 ++++++++++++++++++++++++++++++++++++++++
 handlers/main.yml        |  1 +
 tasks/main.yml           | 20 +++++++++++++++++
 templates/tacker.conf.j2 |  6 +++++
 4 files changed, 75 insertions(+)

diff --git a/defaults/main.yml b/defaults/main.yml
index a14fccc..95f35c6 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -194,3 +194,51 @@ tacker_tacker_conf_overrides: {}
 tacker_api_paste_ini_overrides: {}
 tacker_policy_overrides: {}
 tacker_rootwrap_overrides: {}
+
+###
+### Backend TLS
+###
+
+# Define if communication between haproxy and service backends should be
+# encrypted with TLS.
+tacker_backend_ssl: "{{ openstack_service_backend_ssl | default(False) }}"
+
+# Storage location for SSL certificate authority
+tacker_pki_dir: "{{ openstack_pki_dir | default('/etc/openstack_deploy/pki') }}"
+
+# Delegated host for operating the certificate authority
+tacker_pki_setup_host: "{{ openstack_pki_setup_host | default('localhost') }}"
+
+# tacker server certificate
+tacker_pki_keys_path: "{{ tacker_pki_dir ~ '/certs/private/' }}"
+tacker_pki_certs_path: "{{ tacker_pki_dir ~ '/certs/certs/' }}"
+tacker_pki_intermediate_cert_name: "{{ openstack_pki_service_intermediate_cert_name | default('ExampleCorpIntermediate') }}"
+tacker_pki_regen_cert: ''
+tacker_pki_san: "{{ openstack_pki_san | default('DNS:' ~ ansible_facts['hostname'] ~ ',IP:' ~ management_address) }}"
+tacker_pki_certificates:
+  - name: "tacker_{{ ansible_facts['hostname'] }}"
+    provider: ownca
+    cn: "{{ ansible_facts['hostname'] }}"
+    san: "{{ tacker_pki_san }}"
+    signed_by: "{{ tacker_pki_intermediate_cert_name }}"
+
+# tacker destination files for SSL certificates
+tacker_ssl_cert: /etc/tacker/tacker.pem
+tacker_ssl_key: /etc/tacker/tacker.key
+
+# Installation details for SSL certificates
+tacker_pki_install_certificates:
+  - src: "{{ tacker_user_ssl_cert | default(tacker_pki_certs_path ~ 'tacker_' ~ ansible_facts['hostname'] ~ '-chain.crt') }}"
+    dest: "{{ tacker_ssl_cert }}"
+    owner: "{{ tacker_system_user_name }}"
+    group: "{{ tacker_system_user_name }}"
+    mode: "0644"
+  - src: "{{ tacker_user_ssl_key | default(tacker_pki_keys_path ~ 'tacker_' ~ ansible_facts['hostname'] ~ '.key.pem') }}"
+    dest: "{{ tacker_ssl_key }}"
+    owner: "{{ tacker_system_user_name }}"
+    group: "{{ tacker_system_user_name }}"
+    mode: "0600"
+
+# Define user-provided SSL certificates
+#tacker_user_ssl_cert: <path to cert on ansible deployment host>
+#tacker_user_ssl_key: <path to cert on ansible deployment host>
diff --git a/handlers/main.yml b/handlers/main.yml
index 87bb815..5051899 100644
--- a/handlers/main.yml
+++ b/handlers/main.yml
@@ -27,3 +27,4 @@
   listen:
     - "venv changed"
     - "systemd service changed"
+    - "cert installed"
diff --git a/tasks/main.yml b/tasks/main.yml
index 9707109..f63892c 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -77,6 +77,26 @@
   tags:
     - tacker-install
 
+- name: Create and install SSL certificates
+  include_role:
+    name: pki
+    tasks_from: main_certs.yml
+    apply:
+      tags:
+        - tacker-config
+        - pki
+  vars:
+    pki_setup_host: "{{ tacker_pki_setup_host }}"
+    pki_dir: "{{ tacker_pki_dir }}"
+    pki_create_certificates: "{{ tacker_user_ssl_cert is not defined and tacker_user_ssl_key is not defined }}"
+    pki_regen_cert: "{{ tacker_pki_regen_cert }}"
+    pki_certificates: "{{ tacker_pki_certificates }}"
+    pki_install_certificates: "{{ tacker_pki_install_certificates }}"
+  when:
+    - tacker_backend_ssl
+  tags:
+    - always
+
 - name: Install the python venv
   import_role:
     name: "python_venv_build"
diff --git a/templates/tacker.conf.j2 b/templates/tacker.conf.j2
index 935d9c7..4ca3d60 100644
--- a/templates/tacker.conf.j2
+++ b/templates/tacker.conf.j2
@@ -40,6 +40,12 @@ service_plugins = nfvo,vnfm
 # Supported values are 'keystone'(default), 'noauth'.
 auth_strategy = keystone
 
+{% if tacker_backend_ssl | bool %}
+use_ssl = True
+ssl_cert_file = {{ tacker_ssl_cert }}
+ssl_key_file = {{ tacker_ssl_key }}
+{% endif %}
+
 [nfvo_vim]
 vim_drivers = openstack